Comment : Retail therapy for mobile data losses

Newton's first law of motion states that a moving body will want to keep moving. The same law also seems to apply to confidential customer data. The problem is trying to stop that data moving further than you want it to.

 

Data on the move is an issue that has caught out a number of very high-profile organisations, including HMRC, the Ministry of Defence and most recently, Marks & Spencer. All have suffered embarrassing losses of laptops or CDs, with the potential for damaging data leaks.

And these losses are set to become more than just embarrassing. The Information Commissioner's Office (ICO) issued Marks & Spencer with an enforcement notice ordering the company to ensure that all laptop hard drives are fully encrypted by April 2008. Failure to comply will result in further action against the company, the ICO said. This bullish attitude can only harden in the light of other high-profile data losses, so retailers need to take extra care with customer data.

So how should you address mobile data security? Broadly, this means looking at three key issues.

The first is hard disk encryption of laptops, and smart devices such as PDAs, mobile phones and USB devices. Second is auditing and controlling data transfer and access to removable media, for example USB keys, iPods or CDs. The final issue is control of the security policy running on the user's endpoint device - irrespective of type of device. Let's look at each of these issues in turn.

Disk Encryption: full-disk or file?

Encryption for your laptops boils down to two choices: full-disk encryption (FDE) or file-based encryption. The latter is tempting, because Windows XP comes with file-based encryption built. While this means that anything stored in specific folders or directories is encrypted automatically, there is a big security flaw. It relies on you and other users putting files in the encrypted folders themselves.

That's fine in theory, but do you really want to rely on others to decide what's sensitive information, and to place it in the right folder?

The advantage of full disk encryption is that it automates the process and secures the entire disk, so your mobile users don't have to worry about it - and can't interfere.

Security in hand

So far, so good - but what about PDAs and smart phones? The key here is a rigorous audit of all the devices being used within your company, and then deploying a single encryption solution to cover as many of the devices as possible. Unauthorised handheld devices should not be allowed to connect to your main network, or to store sensitive data. The solution chosen should again encrypt data automatically with no user intervention. Stopping data leaks

It's also important to remember that hard disks are only one storage medium on a typical laptop. This brings us to the second area for endpoint security: management and control of data leakage. This means controlling the flow of data onto peripheral devices such as CD, DVD or USB drives and portable storage media, including mp3 players and digital cameras.

The starting point for protection against leaks via these USB devices is to include them in your acceptable usage policy (AUP) and to educate all users on the importance of following policy - and the risks of breaching that policy.

Policies also need to be backed up and enforced by port control solutions, which can automatically block a USB device that does not comply with the security policy, or prevent the transfer of certain files or file types.

An example of a security policy could include allowing encrypted USB devices - but not an iPod or mobile phone - from an authorised user.

This leads us to the third area of endpoint security: protecting the data on the machine from software threats, such as malicious code.

Effective endpoint security starts with every machine running a firewall and antivirus protection with up-to-date signatures before it is granted a connection to the central network. The endpoint security client should also ensure that the laptop is running the appropriate software patches and includes Virtual Private Networking (VPN) for secure transfer of corporate information back to the network - all managed centrally.

In conclusion, some industry observers question the need to have any sensitive data on mobile computing devices. It's an interesting point - but the data is already out there, and it's going to keep on moving.

So the only effective solution is to ensure that data loaded onto mobile devices is kept locked down - for your sake, and that of your customers too.

Caroline Ikomi is technical director at Check Point